Why does IE prompt a security warning when viewing an XML file?

Opening an XML file in Internet explorer gives a security warning. IE has a nice collapsible tree view for viewing XML, but it's disabled by default and you get this scary error message about a potential security hole. http://www.leonmeijer.nl/archive/2008/04/27/106.aspx

But why? How can simply viewing an XML file (not running any embedded macros in it or anything) possibly be a security hole? Sure, I get that running XSLT could potentially do some bad stuff, but we're not talking about executing anything. We're talking about viewing. Why can't IE simply display the XML file as text (plus with the collapsible tree viewer)?

So why did they label this as a sec开发者_StackOverflow社区urity hole? Can someone describe how simply viewing an XML document could be used as an attack document?

I don't think Ian is correct. What's actually going on is that the collapsible tree viewer is HTML, and it includes JavaScript. IE is rendering the XML as colorized, collapsible HTML, and the expand/collapse code is implemented in JavaScript. Then, IE hits the default security policy that prevents it from executing JS in files that are opened from the local filesystem, and it gives you that warning about how "this webpage" is restricted from running scripts.

You can verify this by noting that if you do not choose to "Allow Blocked Content" then the expand/collapse will not function. If you do allow scripts to run, the expand/collapse will suddenly start working.

IE is still rendering the document even though in the end it's showing you that nice tree view you like. What it is actually showing you is a transformed version of the XML file. IIRC it transforms the the doc to DHTML using XSLT. So the doc is still being run through its rendering engine. If, in the course of rendering the document, a tag shows up that says something like

<object ... />

IE will probably fetch the object and load it into the document. If the object is a malcious ActiveX control or a bit of nasty Java it'll get run.